Leo Platform / RStreams — czirker maintainer account hijacked, 20 npm packages backdoored in 3 seconds
On 2026-06-24 at 23:04:55 UTC an attacker used the compromised czirker npm maintainer account to publish malicious versions of 20 Leo Platform / RStreams packages in a sub-3-second automated burst. Each tarball ships a weaponised binding.gyp that hides a node-gyp command-substitution payload — the same "Phantom Gyp" hook used in the 2026-06-01 Miasma @redhat-cloud-services worm — running a Bun-runtime credential stealer (the Shai-Hulud "Hades" payload) that exfiltrates AWS/GCP/Azure/Kubernetes/Vault/npm/PyPI/GitHub/1Password secrets via the victim's own GitHub token.
- Detected by
- StepSecurity · SafeDep · JFrog · Microsoft Threat Intelligence · Sonatype
- Also known as
- Miasma · Shai-Hulud Hades · Phantom Gyp · Leo Platform burst · RStreams compromise
- Ecosystems
- npm
- Packages tracked
- 2
What happened
On 2026-06-24 at 23:04:55 UTC, a single automated burst — completing in under three seconds — published malicious versions of 20 Leo Platform / RStreams npm packages from the czirker maintainer account (CZirker@commercehub.com). Microsoft Threat Intelligence, StepSecurity, SafeDep, JFrog and Sonatype independently confirmed the campaign; Sonatype tallied 23 malicious package versions across the 20 packages. Combined, the affected packages draw ~13,600 downloads per week, with leo-logger, leo-sdk, leo-aws, leo-config, and leo-streams the highest-traffic targets.
Delivery — "Phantom Gyp" reborn
Each malicious tarball ships a tiny binding.gyp alongside a ~5 MB index.js. There is no postinstall script — the install hook is hidden inside node-gyp's command expansion. The sources array contains <!(node index.js > /dev/null 2>&1 && echo stub.c), which node-gyp evaluates as a shell command during npm install (or any later node-gyp rebuild). The index.js runs to completion, the echo stub.c writes a placeholder C file, and node-gyp continues happily — defeating naive lifecycle-script scanners that only watch preinstall / postinstall. This is the same Phantom Gyp hook syntax StepSecurity first published in their 2026-06-03 analysis of the original Miasma @redhat-cloud-services worm.
Payload — Shai-Hulud "Hades"
index.js is a three-layer dropper: a ROT character-code cipher, then two AES-128-GCM encrypted blobs, then obfuscator.io string-array protection. After unwrapping, it downloads Bun-1.3.13-linux-x64.zip (the Bun runtime), extracts it, writes the toolkit to /tmp/p.js, and execs it under Bun rather than Node. This sidesteps every Node-level instrumentation and EDR module-load hook — and gives the implant a single static binary with TLS and HTTP/2 built in, no dynamic linking to fingerprint.
The Hades toolkit performs a sweeping credential collection: AWS (IMDS, Secrets Manager, SSM, ECS task-role), GCP (metadata service, service-account keys), Azure (managed identity, Key Vault, federated credentials), HashiCorp Vault (probes 10+ token-file locations), Kubernetes (service-account token), npm, PyPI, RubyGems, JFrog, GitHub PATs (especially gh CLI configs), shell history, environment variables, and 1Password session tokens. Exfiltration uses the victim's own GitHub token to commit the envelope to attacker-controlled / shadow repos — the same dead-drop pattern as the leaked Miasma kit.
Worm step — npm bypass_2fa
If an npm publish token is found, the payload calls npm's automation-token bypass_2fa API to publish further malicious versions of every package the victim can write to, without prompting the maintainer's 2FA challenge. This is the same self-spreading step JFrog reported in the original Miasma campaign, suggesting the same operator (or kit user) 21 days later.
Attribution & timeline
- 2026-06-01 — Miasma worm hits 32
@redhat-cloud-services/*packages (Wiz / ReversingLabs / JFrog). - 2026-06-03 — StepSecurity publishes the Phantom Gyp binding.gyp analysis.
- 2026-06-10 — Miasma toolkit (including dead-drop channel names) leaks publicly.
- 2026-06-24 15:39 UTC —
codfish/semantic-release-actiontag-hijack drops a Miasma-family payload (thebeautifulsnadsoftimemarker). - 2026-06-24 23:04 UTC —
czirkerLeo Platform burst. Same payload family, fresh ecosystem.
Affected version uncertainty
StepSecurity confirmed leo-logger@1.0.8 and leo-sdk@6.0.19 by full and spot analysis. The other 18 packages were published in the same 3-second burst from the same maintainer account; npm has subsequently yanked the malicious versions but the per-package version numbers are not enumerated in the public disclosure tables. The packages map below lists every package the czirker account had publish rights to (per the npm registry maintainer:czirker search) as the at-risk set. Pin or audit any version of these packages installed on or after 2026-06-24 23:04 UTC, even where the exact version string is not yet in the table.
Affected packages (2)
- npm
leo-logger1.0.8 - npm
leo-sdk6.0.19
Impact
npm installof any affected version triggersnode-gypbuild, which evaluates thebinding.gypsourcesarray — the array contains<!(node index.js > /dev/null 2>&1 && echo stub.c), causingindex.jsto run before any application code (no postinstall script, so lifecycle-script scanners miss it)- Multi-cloud credential sweep: AWS (IMDS, Secrets Manager, SSM, ECS), GCP (metadata service, service-account keys), Azure (managed identity, Key Vault, federated credentials), HashiCorp Vault (10+ token-file locations), Kubernetes service-account tokens
- Package-registry token theft: npm, PyPI, RubyGems, JFrog; GitHub PATs harvested from
ghCLI configs - Password-manager theft: 1Password session tokens
- Worm propagation: if an
npmpublish token is harvested, the payload calls the npmbypass_2faAPI to publish further malicious versions to any package the victim can write to — without triggering the maintainer's 2FA prompt - EDR evasion: payload writes the toolkit to
/tmp/p.jsand runs it under Bun v1.3.13 (downloaded at runtime) rather than Node, sidestepping Node-based hooks and module-load detection - RStreams platform is an AWS-native streaming SDK widely embedded in Kinesis / Firehose / Lambda / S3 pipelines — any CI build that installed an affected version exposes the pipeline's AWS role
What to do
- 1Audit every
package.json/ lockfile / CI image cache for the affectedleo-*andrstreams-*versions listed in the packages map below — npm has yanked the malicious versions but cached copies in Artifactory / Nexus / CI image layers / committednode_modulesremain in scope - 2Run
npm ci --ignore-scripts(orpnpm install --ignore-scripts/yarn install --ignore-scripts) on any CI build that does not need native add-ons. Even with that flag, the Phantom Gyp hook still fires ifnode-gyp rebuildruns separately — also pin or stubnode-gypin your CI image - 3Rotate every secret reachable from a host that ran an affected install on or after 2026-06-24 23:04 UTC: AWS access keys + ECS task role + Secrets Manager / SSM entries; GCP service-account keys; Azure managed-identity tokens; Kubernetes SA tokens; Vault tokens; npm publish tokens; PyPI/RubyGems/JFrog tokens; GitHub PATs (especially long-lived
ghCLI tokens); 1Password session tokens - 4Hunt outbound HTTPS to GitHub API from build hosts that wrote new public/private repos using a Leo Platform-adjacent token — the Shai-Hulud Hades exfil channel uses the victim's own GitHub PAT to commit envelopes to attacker-controlled or victim-shadow repos
- 5Search npm publish history for any package the compromised host could write to — Hades will have published descendant infections via
bypass_2faif a publish token was reachable - 6Block the affected version ranges in your private mirror / Artifactory / Nexus so cached copies cannot be served
- 7Add the literal string
Bun-1.3.13-linux-x64.zipand the path/tmp/p.jsto host EDR / file-integrity alerts on build runners
References
- StepSecurityMass npm Supply Chain Attack: 20 Leo Platform Packages Compromisedstepsecurity.io
- SafeDepMiasma Worm Infects Multiple LeoPlatform npm Packagessafedep.io
- JFrog Security ResearchShai-Hulud Continues: Hades Payload Hits Leo/RStreams npm Packagesresearch.jfrog.com
- Security BoulevardMiasma Returns: Leo Platform Compromise in npmsecurityboulevard.com
- GBHackersShai-Hulud Hades Payload Hits 20 Leo/RStreams npm Packages in Fresh Supply Chain Attackgbhackers.com
- Microsoft Threat IntelligenceMicrosoft Threat Intelligence — Leo Platform / RStreams supply chain attackx.com